CSE543 - Introduction to Computer and Network Security Page
CSE543 - Computer andNetwork Security
Module: Trusted Computing
Professor Trent Jaeger
1
Monday, December 10, 12
CSE543 - Computer and Network Security Page
What is Trust?• dictionary.com
‣ Firm reliance on the integrity, ability, or character of a person or thing.
2
Monday, December 10, 12
CSE543 - Computer and Network Security Page
What is Trust?• dictionary.com
‣ Firm reliance on the integrity, ability, or character of a person or thing.
• What do you trust?‣ Trust Exercise
2
Monday, December 10, 12
CSE543 - Computer and Network Security Page
What is Trust?• dictionary.com
‣ Firm reliance on the integrity, ability, or character of a person or thing.
• What do you trust?‣ Trust Exercise
• Do we trust our computers?
2
Monday, December 10, 12
CSE543 - Computer and Network Security Page
Trust• “a system that you are forced to trust because you have
no choice” -- US DoD
3
Monday, December 10, 12
CSE543 - Computer and Network Security Page
Trust• “a system that you are forced to trust because you have
no choice” -- US DoD
• “A ‘trusted’ computer does not mean a computer is trustworthy” -- B. Schneier
3
Monday, December 10, 12
CSE543 - Computer and Network Security Page
Trusted Computing Base• Trusted Computing Base (TCB)
‣ Hardware, Firmware, Operating System, etc
• There is always a level at which we must rely on trust• How can we shrink the TCB?
4
Monday, December 10, 12
CSE543 - Computer and Network Security Page
Trustworthy Computing• Microsoft Palladium (NGSCB)
5
Monday, December 10, 12
CSE543 - Computer and Network Security Page
Example of FUD• Trusted Computing: An Animated Short -
http://www.lafkon.net/tc/
6
Monday, December 10, 12
CSE543 - Computer and Network Security Page
Trusted Computing• Components (according to Wikipedia)
‣ Secure I/O
‣ Memory Curtaining
‣ Sealed Storage
‣ Remote Attestation
• Requires hardware support
7
Monday, December 10, 12
CSE543 - Computer and Network Security Page
Trusted Platform Module• The Trusted Platform Module (TPM) provides hardware
support for sealed storage and remote attestation• What else can it do?
‣ www.trustedcomputinggroup.org
8
Monday, December 10, 12
CSE543 - Computer and Network Security Page
TPM Components
10
Non-Volatile Storage
Platform Configuration Register (PCR)
Attestation Identity Key
(AIK)
Program Code
Random Number
Generator
SHA-1 Engine
Key Generation
RSA Engine
Opt-In Exec Engine
I/O
Monday, December 10, 12
CSE543 - Computer and Network Security Page
TPM Discrete Components• Input/Output (I/O)
‣ Allows the TPM to communicate with the rest of the system
• Non-Volatile Storage‣ Stores long term keys for the TPM
• Platform Configuration Registers (PCRs)‣ Provide state storage
• Attestation Identity Keys (AIKs)‣ Public/Private keys used for remote attestation
• Program Code‣ Firmware for measuring platform devices
• Random Number Generator (RNG)‣ Used for key generation, nonce creation, etc
11
Monday, December 10, 12
CSE543 - Computer and Network Security Page
TPM Discrete Components• SHA-1 Engine
‣ Used for computing signatures, creating key Blobs, etc
• RSA Key Generation‣ Creates signing keys, storage keys, etc. (2048 bit)
• RSA Engine‣ Provides RSA functions for signing, encryption/decryption
• Opt-In‣ Allows the TPM to be disabled
• Execution Engine‣ Executes Program Code, performing TPM initialization and
measurement taking
12
Monday, December 10, 12
CSE543 - Computer and Network Security Page
Tracking State• Platform Configuration
Registers (PCRs) maintain state values.
• A PCR can only be modified through the Extend operation‣ Extend(PCR[i], value) :
• PCR[i] = SHA1(PCR[i] . value)
• The only way to place a PCR into a state is to extend it a certain number of times with specific values
13
BIOS Self Measurement
OS Loader Code
OS Code
Application Code
Measurement Flow(Transitive Trust)
Monday, December 10, 12
CSE543 - Computer and Network Security Page
Secure vs. Authenticated • Secure boot stops execution if
measurements are not correct
• Authenticated boot measures each boot state and lets remote systems determine if it is correct
• The Trusted Computing Group architecture uses authenticated boot
14
Monday, December 10, 12
CSE543 - Computer and Network Security Page
Protected Storage• The TPM has limited storage
capacity‣ Key pairs are commonly stored on
the system, but are encrypted by a storage key
• Users can protect data by allowing the TPM to control access to the symmetric key
• Access to keys can be sealed to a particular PCR state
15
Monday, December 10, 12
CSE543 - Computer and Network Security Page
Public/Private Keys• Endorsement Key (EK)
‣ Only one EK pair for the lifetime of the TPM
‣ Usually set by manufacturer
‣ Private portion never leaves the TPM
• Storage Root Key (SRK)‣ Created as part of creating a new platform owner
‣ Used for protected storage
‣ Manages other keys, e.g., storage keys
‣ Private portion never leaves the TPM
• Attestation Identity Keys (AIKs)‣ Used for remote attestation
‣ The TPM may have multiple AIKs16
Monday, December 10, 12
CSE543 - Computer and Network Security Page
Using TCG• Justify System Integrity• Attestation Approaches
‣ Trusted Platform on Demand (TPoD)• IBM Research Tokyo
‣ Linux Integrity Measurement Architecture• Sailer et. al. (USENIX Security 2004)
‣ BIND: A Fine-grained Attestation Service for Secure Distributed Systems• Shi et. al. (IEEE S&P 2005)
• Network Authentication‣ Trusted Network Connect (TNC)
• www.trustedcomputinggroup.org
17
Monday, December 10, 12
CSE543 - Computer and Network Security Page
Integrity Measurement • IPsec and SSL provide secure communication
‣ But with whom am I talking?
18
Secure Channel
On-Demand / GridSecure DomainsB2B ApplicationThin-Client
Monday, December 10, 12
CSE543 - Computer and Network Security Page
Integrity Measurement
19
ExecutionFlow
MeasurementFlow
Defined by TCG(Platform specific)
Defined by Grub(IBM Tokyo Research Lab)
Platform Configuration Registers 0-23
TCG-based Integrity Measurement Architecture
0-7 4-7 >= 8
Monday, December 10, 12
CSE543 - Computer and Network Security Page
Basic Idea
20
Analysis
System-RepresentationSigned TPM Aggregate
SHA1(Boot Process)SHA1(Kernel)SHA1(Kernel Modules)SHA1(Program)SHA1(Libraries)SHA1(Configurations)SHA1(Structured data)…
Measurement
System Properties ext. Information
(CERT,…)
KnownFingerprints
Attested System
Program
Kernel Kernelmodule
Configdata
Boot-Process
Data
Monday, December 10, 12
CSE543 - Computer and Network Security Page
Measurement List
21
/bin/bash
Measurement List (Kernel-held)
MemoryMap Schedule
Traditional execution path
Execve(*file)
SHA1
Linux Security Module
SHA1
Linux Security Module
Integrity Value
Monday, December 10, 12
CSE543 - Computer and Network Security Page
Some Details• Kernel Measures
‣ Executables, Libraries, Modules
• At‣ Load time only
• Applications May Measure Also‣ Critical input
• Issues Addressed:
• Prevents writing on actively measured files‣ Cannot open for write while file is open
• Non-deterministic loading‣ Need measurement list
22
Monday, December 10, 12
CSE543 - Computer and Network Security Page
Key Distribution• Before remote attestation can
occur, the challenger must have either knowledge of the public portion of an AIK, or a CA’s public key
• Old standards required the Privacy CA to know the TPM’s PUBlic Endorsement Key (PUBEK)
• Direct Anonymous Attestation (DAA), added to the latest specifications, uses a zero-knowledge proof to ensure the TPM is real
23
TPM Privacy CA
Challenger
AIK+
SigCA- {AIK+, ...}
{CA+}SigAIK- {PCR}, SigCA- {AIK+, ...}
2
3
1
4
Monday, December 10, 12
CSE543 - Computer and Network Security Page
Using TCG• Many claim TCG will aid DRM
• How might one use the TPM for DRM?‣ Discuss
• Trusted Computing is a double-edged sword‣ so is cryptography
24
Monday, December 10, 12
CSE543 - Computer and Network Security Page
False Claims• Having a TPM will keep me from using opensource
software‣ No, the TCG architecture only specifies authenticated boot.
This simply records each step, but does not, and cannot, stop the use of opensource operating systems, e.g. Linux
• TPM, Palladium/NGSCB, and DRM are all the same‣ No, the TPM is only one of the components required for
NGSCB to function
• Loss of Internet Anonymity‣ The addition of DAA allows Privacy CAs to function with
zero-knowledge proofs
• Others?
25
Monday, December 10, 12